Malicious Android app had more than 100 million downloads in Google Play

Kaspersky researchers found malware in CamScanner, a text recognition app that was downloaded more than 100 million times from Google Play.

Kaspersky researchers recently found malware in an app called CamScanner, a phone-based PDF creator that includes OCR (optical character recognition) and has more than 100 million downloads in Google Play. Various resources call the app by slightly different names such as CamScanner — Phone PDF Creator and CamScanner-Scanner to scan PDFs.

Official app stores such as Google Play are usually considered a safe haven for downloading software. Unfortunately, nothing is 100% safe, and from time to time malware distributors manage to sneak their apps into Google Play.

The problem is that even such a powerful company as Google can’t thoroughly check millions of apps. Keep in mind that most of the apps are updated regularly, so Google Play moderators’ jobs are never done.

CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time. It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.

Kaspersky products detect this module as Trojan-Dropper.AndroidOS.Necro.n, which we have observed in some apps preinstalled on Chinese smartphones. As the name suggests, the module is a Trojan Dropper. That means the module extracts and runs another malicious module from an encrypted file included in the app’s resources. This “dropped” malware, in turn, is a Trojan downloader that downloads more malicious modules depending on what its creators are up to at the moment. These malicious modules may show intrusive ads and sign users up for paid subscriptions to external services (not to be mistaken with a legitimate premium subscription to CamScanner).

Although most reviews left by users of the CamScanner on the app’s Google Play page are positive, some of the users have reported on suspicious behavior of the app that they’ve encountered while using the infected version.

Kaspersky researchers examined a recent version of the app and found the malicious module there. We reported our findings to Google, and the app was promptly removed from Google Play.

It looks like app developers got rid of the malicious code with the latest update of CamScanner. Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code.

What we can learn from this story is that any app — even one from an official store, even one with a good reputation, and even one with millions of positive reviews and a big, loyal user base —can turn into malware overnight. Every app is just one update away from a major change. To make sure you never find yourself in such trouble, use a reliable antivirus for Android app and scan your smartphone from time to time. (The paid version of Kaspersky Internet Security for Android scans automatically.)

We appreciate the willingness to cooperate that we’ve seen from CamScanner representatives, as well as the responsible attitude to user safety they demonstrated while eliminating the threat. We’ve rephrased the line above about paid subscription services to make it clear that the paid subscriptions initiated by malicious modules are not to be mistaken with a legitimate subscription model that many users adopted by choice. The malicious modules were removed from the app immediately upon Kaspersky’s warning, and Google Play has restored the app.

Tips